Skip to content

GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

GitHub reviewed advisories

Unreviewed advisories

CC-BY-4.0 License
Language support
About GitHub Advisory Database
Filter advisories

Filter advisories

GitHub reviewed advisories
All reviewed
5,000+
Composer
5,000+
Erlang
39
GitHub Actions
38
Go
2,690
Maven
5,000+
npm
4,320
NuGet
760
pip
4,096
Pub
12
RubyGems
958
Rust
1,063
Swift
45
Unreviewed advisories
All unreviewed
5,000+

4,320 advisories

Loading
Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default High
CVE-2025-66414 was published for @modelcontextprotocol/sdk (npm) Dec 2, 2025
Validator is Vulnerable to Incomplete Filtering of One or More Instances of Special Elements High
CVE-2025-12758 was published for validator (npm) Nov 27, 2025
Withdrawn Advisory: express improperly controls modification of query properties Low
CVE-2024-51999 was published for express (npm) Dec 1, 2025 withdrawn
ctcpip wesleytodd
jonchurch bjohansebas UlisesGascon
Credited to ctcpip, wesleytodd, jonchurch, bjohansebas, and UlisesGascon
Vercel’s AI SDK's filetype whitelists can be bypassed when uploading files Low
CVE-2025-48985 was published for ai (npm) Nov 7, 2025
mdast-util-to-hast has unsanitized class attribute Moderate
CVE-2025-66400 was published for mdast-util-to-hast (npm) Dec 2, 2025
Angular Stored XSS Vulnerability via SVG Animation, SVG URL and MathML Attributes High
CVE-2025-66412 was published for @angular/compiler (npm) Dec 2, 2025
alan-agius4 crisbeto
devversion AKiileX AndrewKushnir
Credited to alan-agius4, crisbeto, devversion, AKiileX, and AndrewKushnir
Portkey.ai Gateway: Server-Side Request Forgery (SSRF) in Custom Host Moderate
CVE-2025-66405 was published for @portkey-ai/gateway (npm) Dec 2, 2025
im-soohyun
Credited to im-soohyun
fastify-reply-from affected by bypass of reply forwarding Moderate
CVE-2025-66415 was published for @fastify/reply-from (npm) Dec 2, 2025
rozzilla
Credited to rozzilla
MCP Watch has a Critical Command Injection in cloneRepo allows Remote Code Execution (RCE) via malicious URL Critical
CVE-2025-66401 was published for mcp-watch (npm) Dec 2, 2025
viralvaghela
Credited to viralvaghela
Tryton sao allows XSS via an HTML attachment Moderate
CVE-2025-66420 was published for tryton-sao (npm) Nov 30, 2025
Tryton sao allows XSS because it does not escape completion values Moderate
CVE-2025-66421 was published for tryton-sao (npm) Nov 30, 2025
Better Auth affected by external request basePath modification DoS Low
GHSA-569q-mpph-wgww was published for better-auth (npm) Dec 1, 2025
goksan
Credited to goksan
Nodemailer’s addressparser is vulnerable to DoS caused by recursive calls Low
GHSA-rcmh-qjqh-p98v was published for nodemailer (npm) Dec 1, 2025
uko3211
Credited to uko3211
Better Auth's multi-session sign-out hook allows forged cookies to revoke arbitrary sessions Low
GHSA-wmjr-v86c-m9jj was published for better-auth (npm) Nov 26, 2025
mufeedvh
Credited to mufeedvh
willitmerge has a Command Injection vulnerability Moderate
CVE-2025-66219 was published for willitmerge (npm) Nov 26, 2025
lirantal
Credited to lirantal
Angular is Vulnerable to XSRF Token Leakage via Protocol-Relative URLs in Angular HTTP Client High
CVE-2025-66035 was published for @angular/common (npm) Nov 26, 2025
alan-agius4 AndrewKushnir
irsl hybrist AKiileX
Credited to alan-agius4, AndrewKushnir, irsl, hybrist, and AKiileX
node-forge is vulnerable to ASN.1 OID Integer Truncation Moderate
CVE-2025-66030 was published for node-forge (npm) Nov 26, 2025
wodzen
Credited to wodzen
OneUptime Unauthorized User Creation via API High
CVE-2025-65966 was published for @oneuptime/common (npm) Nov 26, 2025
SamirWaleed
Credited to SamirWaleed
Cross-site Scripting (XSS) in serialize-javascript Moderate
CVE-2024-11831 was published for serialize-javascript (npm) Feb 10, 2025
mhassan1
Credited to mhassan1
Open WebUI vulnerable to Stored DOM XSS via prompts when 'Insert Prompt as Rich Text' is enabled resulting in ATO/RCE High
CVE-2025-64495 was published for open-webui (npm) Nov 7, 2025
gg0h
Credited to gg0h
Claude Code Vulnerable to Arbitrary Code Execution via Plugin Autoloading with Specific Yarn Versions High
CVE-2025-59828 was published for @anthropic-ai/claude-code (npm) Sep 24, 2025
cai0duque
Credited to cai0duque
OneUptime is Vulnerable to Privilege Escalation via Login Response Manipulation Moderate
CVE-2025-66028 was published for @oneuptime/common (npm) Nov 25, 2025
SamirWaleed
Credited to SamirWaleed
Claude Code vulnerable to command execution prior to startup trust dialog High
CVE-2025-65099 was published for @anthropic-ai/claude-code (npm) Nov 19, 2025
parse is vulnerable to prototype pollution Moderate
CVE-2025-57324 was published for parse (npm) Sep 24, 2025
miguelmunoz-dotcom
Credited to miguelmunoz-dotcom
happy-dom's `--disallow-code-generation-from-strings` is not sufficient for isolating untrusted JavaScript Critical
CVE-2025-62410 was published for happy-dom (npm) Oct 15, 2025
cristianstaicu shaked-seal
Credited to cristianstaicu and shaked-seal
ProTip! Advisories are also available from the GraphQL API
CC-BY-4.0 License
Language support
About GitHub Advisory Database